Enterprise Linux 6.3 to 6.4 risk report

Red Hat Enterprise Linux 6.4 was released last week, eight months since the release of 6.3 in June 2012. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server.

Errata count

The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.3, up to and including the 6.4 release, broken down by severity. It's split into two columns, one for the packages you'd get if you did a default install, and the other if you installed every single package.

During installation there actually isn't an option to install every package, you'd have to manually select them all, and it's not a likely scenario. For a given installation, the number of package updates and vulnerabilities that affected you will depend on exactly what you selected during installation and which packages you have subsequently installed or removed.

So, for a default install, from release of 6.3 up to and including 6.4, we shipped 38 advisories to address 108 vulnerabilities. 3 advisories were rated critical, 14 were important, and the remaining 21 were moderate and low.

Or, for all packages, from release of 6.3 up to and including 6.4, we shipped 108 advisories to address 311 vulnerabilities. 18 advisories were rated critical, 28 were important, and the remaining 62 were moderate and low.

You can cut down the number of security issues you need to deal with by carefully choosing the right Red Hat Enterprise Linux variant and package set when deploying a new system, and ensuring you install the latest available Update release.

Critical vulnerabilities

Vulnerabilities rated critical severity are the ones that can pose the most risk to an organisation. By definition, a critical vulnerability is one that could be exploited remotely and automatically by a worm. However we also stretch that definition to include those flaws that affect web browsers or plug-ins where a user only needs to visit a malicious (or compromised) website in order to be exploited. Most of the critical vulnerabilities we fix fall into that latter category.

The 18 critical advisories addressed 78 critical vulnerabilities across just 4 components:

1. An update to the Konqueror web browser, RHSA-2012:1416 (Oct 2012) where a malicious web site could potentially run arbitrary code as the user running Konqueror.
2. Updates to Firefox/XULRunner, RHSA-2012:1088 (Jul 2012), RHSA-2012:1210 (Aug 2012), RHSA-2012:1350, RHSA-2012:1361, RHSA-2012:1407 (Oct 2012), RHSA-2012:1482 (Nov 2012), RHSA-2013:0144 (Jan 2013) where a malicious web site could potentially run arbitrary code as the user running Firefox.
3. Updates to Thunderbird, RHSA-2012:1089 (Jul 2012), RHSA-2012:1211 (Aug 2012), RHSA-2012:1351, RHSA-2012:1362 (Oct 2012), RHSA-2012:1483 (Nov 2012), RHSA-2013:0145 (Jan 2013) where a malicious email message could potentially run arbitrary code as the user running Thunderbird.
4. Updates to the OpenJDK 6 Java Runtime and IcedTea-Web Java web browser plug-in, RHSA-2012:0729 (Jun 2012), RHSA-2012:1221 (Sep 2012), RHSA-2012:1384 (Oct 2012), RHSA-2012:1434 (Nov 2012) where a malicious web site presenting a Java applet could potentially run arbitrary code as the user running a web browser.

Updates to correct 77 of the 78 critical vulnerabilities were available via Red Hat Network either the same day or the next calendar day after the issues were public. The other one was in OpenJDK 1.60 where the update took 4 calendar days (over a weekend).

With the release of Enterprise Linux 6.4, the Java web plugin has switched from using OpenJDK 1.6.0 to OpenJDK 1.7.0. Therefore future OpenJDK 1.7.0 updates exploitable through the applet could now receive a critical impact, whereas similar OpenJDK 1.6.0 flaws would be important impact.

Overall, for Red Hat Enterprise Linux 6 Server since release until 6.4, 93% of critical vulnerabilities have had an update available to address them available from the Red Hat Network either the same day or the next calendar day after the issue was public.

Other significant vulnerabilities

Although not in the definition of critical severity, also of interest fixed during this period were a few flaws that were high risk or easily exploitable:

• A flaw in the Kernel, CVE-2012-2744, fixed by RHSA-2012:1064 (Jul 2012). A remote attacker who is able to send IPv6 packets to a server could cause a denial of service (crash). We are aware of a public exploit for this issue which would work against unpatched Red Hat Enterprise Linux 6.
• A flaw in BIND, CVE-2012-5166, fixed by RHSA-2012:1363 (Oct 2012). A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup. We are not aware of a specific public exploit for this issue, but one could be easily created.

Previous update releases

We generally measure risk in terms of the number of vulnerabilities, but the actual effort in maintaining a Red Hat Enterprise Linux system is more related to the number of advisories we released: a single Firefox advisory may fix ten different issues of critical severity, but takes far less total effort to manage than ten separate advisories each fixing one critical PHP vulnerability.

To compare these statistics with previous update releases we need to take into account that the time between each update release can vary slightly. So looking at a default installation and calculating the number of advisories per month gives the following chart:

This data is interesting to get a feel for the risk of running Enterprise Linux 6 Server, but isn't really useful for comparisons with other major versions, distributions, or operating systems -- for example, a default install of Red Hat Enterprise Linux 6 Server does not include Firefox, but a default install of 5 Server does. You can use our public security measurement data and tools, and run your own custom metrics for any given Red Hat product, package set, timescales, and severity range of interest.

See also: 6.3, 6.2, and 6.1 risk reports.